Operate WireGuard VPN server in Docker

WireGuard is an efficient way to enable VPN connections in a Docker container.

Docker Basics

Docker allows applications to be launched by command in a so-called container.
A container is an isolated environment independent of the operating system (OS):
When a container is first launched, Docker independently loads all the necessary sources
from the internet.
Docker can be installed on Windows, macOS or an Linux Distribution

This setup combines two essential components: the WireGuard container for basic VPN functionality and WireGuard UI for user-friendly management of connections and configuration.

docker-compose.yml

The provided docker-compose file defines two main services:

WireGuard: Uses the "linuxserver/wireguard" image and is responsible for the main VPN connection. The container receives network management rights (NET_ADMIN) and binds volumes and ports for configuration.
WireGuard UI: Provides a user-friendly web interface to manage the WireGuard connections. This service is dependent on the WireGuard service and operates in the same network mode, allowing seamless interaction. Various environment variables are used to define environment parameters and logging is optimized to limit the log file size.

[+]

version: "3"

services:

  wireguard:
    image: linuxserver/wireguard:v1.0.20210914-ls7
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/config
    ports:
      - "5001:5000"
      - "51820:51820/udp"

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=password
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard

After starting with the "docker compose up" command, WireGuuard UI can be accessed via the IP address of the host with port 5001, e.g. http://localhost:5001, if Docker is running on the same machine. The initial password can be specified in the docker-compose.yaml file and changed in the UI.

Wireguard Server - Settings

WireGuard post-up and post-down scripts are used to execute commands after starting or before stopping a VPN connection. They enable automated network or system configurations, such as setting firewall rules or adding routing entries that should only be active when the VPN connection is active. I use the following scripts to ensure that the Wireguard Docker container forwards the host's network traffic:

Post Up Script

Post-up script: Configures firewall rules to allow inbound and outbound traffic and mask network packets.

iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -d 192.168.1.0/24 -j MASQUERADE

The IP range 192.168.1.0/24 should of course be adapted to the network or, if necessary, restricted to certain IP addresses.

Post Down Script

Post-down script: Removes the previously set firewall rules.

iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -d 192.168.1.0/24 -j MASQUERADE

The IP range should be set analogous to the post-up script.

Conclusion

WireGuard simplifies the management and protection of networks through the use of Docker containers for VPN use. With the combination of a WireGuard container and the user-friendly WireGuard UI integrated via the Docker Compose configuration, network traffic is handled securely and efficiently, with post-up and post-down scripts contributing to the dynamic adjustment of firewall and routing settings.